Professional Documents
Culture Documents
Cryptography Lecture 9: Key Distribution and Trust, Elliptic Curve Cryptography
Cryptography Lecture 9: Key Distribution and Trust, Elliptic Curve Cryptography
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can exchange a key via Trent (provided they
both trust Trent)
Trent
Key distribution center
KAT , KBT
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can exchange a key via Trent (provided they
both trust Trent)
Trent
Key distribution center
KAT , KBT
)
B
A
||K
B
D
(I
T
E KA
1:
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can exchange a key via Trent (provided they
both trust Trent)
Trent
Key distribution center
KAT , KBT
) 2:
A
B E
K
||K B
T (I
B D
D
(I A|
T |K
KA A
1:E B)
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can receive a key from Trent (provided they
both trust Trent)
Trent
Key distribution center
KAT , KBT
B)
AT
(ID
K
E
1:
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can receive a key from Trent (provided they
both trust Trent)
Trent
Key distribution center
KAT , KBT
2:
E
B)
K
(ID
) B
T (I
AB D
AT
|| K A|
K
|K
E
B
(ID
1:
A
B)
T
A
EK
2:
Alice, KAT Bob, KBT
Key distribution center, Blom key pre-distribution
• If Alice shares a key with Trent and Trent shares a key with Bob,
and Alice and Bob each have a public id rA , rB , they can recieve
key-generation info from Trent (provided they both trust Trent)
Trent
Key distribution center
KAT , KBT , a, b, c
aU = a + brU , bU = b + crU
) E
A K
,b BT
(a
(a A B ,b
T B)
E KA
KAB = aA + bA rB
Alice, KAT , rA Bob, KBT , rB
= aB + bB rA
Key distribution center, Station-To-Station (STS) protocol
Trent
Key distribution center
KAT , KBT
αa mod p
Trent
Key distribution center
KAT , KBT
αa mod p αe mod p
Alice, KAT Eve Bob, KBT
e αb mod p
α mod p
Key distribution center, Station-To-Station (STS) protocol
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can use Trent to verify that they exchange key
with the right person
Trent
Key distribution center
KAT , KBT
αa mod p
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can use Trent to verify that they exchange key
with the right person
Trent
Key distribution center
KAT , KBT
αa mod p
αb mod p
Alice, KAT Bob, KBT
EKAB (sigA (αa , αb ))
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can use Trent to verify that they exchange key
with the right person
Trent
Key distribution center
KAT , KBT
B?
ve
rA
r
ve
?
αa mod p
αb mod p
Alice, KAT Bob, KBT
EKAB (sigA (αa , αb ))
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can use Trent to verify that they exchange key
with the right person
Trent
Key distribution center
KAT , KBT
B?
ve
ve
rA
r
rB rA
ve
ve
?
αa mod p
αb mod p
Alice, KAT Bob, KBT
EKAB (sigA (αa , αb ))
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can exchange a key via Trent (provided they
both trust Trent)
Trent
Key distribution center
KAT , KBT
) 2:
A
B E
K
||K B
T (I
B D
D
(I A|
T |K
KA A
1:E B)
• But perhaps Eve has broken a previously used key, and intercepts
Alice’s request
Trent
Key distribution center
KAT , KBT
) Eve
AB
B
||K
(ID
T
EKA
1:
• But perhaps Eve has broken a previously used key, and intercepts
Alice’s request
• Then she can fool Bob into communicating with her
Trent
Key distribution center
KAT , KBT
B
) Eve 2: old
||K
A EK
B BT (ID
(ID
T A ||
EKA K
1: AB
)
Alice, KAT Bob, KBT
Key distribution center, wide-mouthed frog
Trent
Key distribution center
AB
) KAT , KBT
B|
|K
D
||I
A
AT
(t
K
E
1:
Trent
Key distribution center
AB
) KAT , KBT 2:
E
|K
K
B
B|
T (t
D
T ||I
||I
D
A
(t
A|
|K
AT
K
A
E
B)
1:
Trent
Key distribution center
KAT , KBT 2: 3: E
)
AB
E K
BT (t
|K
K
B T ||ID
B|
T (t
D
T A ||
||I K
|| I
D AB
A
)
(t
A|
|K
AT
Eve
K
A
E
B)
1:
Trent
Key distribution center
KAT , KBT 2: 3: E
)
AB
E K
BT (t
|K
K
B T ||ID
B|
) T (t
D
AB T ||I
A ||
K
||I
||K D AB
A
)
(t
B
|ID
A|
0 |
|K
AT
Eve
K
(t T A
E
B)
1:
T
E KA
Alice, KAT4: Bob, KBT
Key distribution center, Needham-Schroeder key agreement
Trent
Key distribution center
|r
B|
1
KAT , KBT
|ID
A|
DI
1:
Trent
Key distribution center
|r
B|
1
KAT , KBT
Trent
Key distribution center
|r
B|
1
KAT , KBT
Trent
Key distribution center
|r
B|
1
KAT , KBT
4: EKS (r2 )
Alice, KAT Bob, KBT
Key distribution center, Needham-Schroeder key agreement
Trent
Key distribution center
KAT , KBT
1
|r
B|
4: EKS (r2 )
Alice, KAT Bob, KBT
5: EKS (r2 − 1)
Key distribution center, Needham-Schroeder key agreement
Trent
Key distribution center
KAT , KBT
Trent Grant
KC , KG KG , KS
• A client, Cliff
Cliff
KC • An authentication server, Trent
• An authorization server, Grant
• A service server, Serge
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
• A client, Cliff
Cliff
KC • An authentication server, Trent
• An authorization server, Grant
• A service server, Serge
Trent Grant
KC , KG KG , KS
Cliff
KC
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
2 3
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
2 3
Trent Grant
KC , KG KG , KS
2 3
Certification Authority
sT , {ei }
Alice, vT , dA Bob, vT , dB
Public key distribution, using Certification Authorities
Certification Authority
sT , {ei }
)
B
,e
B
B
ID
(ID
1:
n T
i g
,s
B
2 :e
Alice, vT , dA Bob, vT , dB
Public key distribution, using X.509 certificates
Eric Charlie
Diana
Public key distribution, using web of trust (PGP and GPG)
• No central CA
• Users sign each other’s public key
Alice (hashes)
• This creates a “web of trust”
Fred Bob
• Each user keeps a keyring with
the keys (s)he has signed
• The secret key is stored on a
Eric Charlie secret keyring, on h{er,is}
computer
Diana
• The public key(s) and their
signatures are uploaded to key
servers
Public key distribution, a web-of-trust path
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
Client Server
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public key
systems + symmetric key systems + hash functions + compression
algorithms
ClientHello
Client Server
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public key
systems + symmetric key systems + hash functions + compression
algorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) random
number, system choices, public key
ClientHello
ServerHello,. . .
Client Server
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public key
systems + symmetric key systems + hash functions + compression
algorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) random
number, system choices, public key
ClientKeyExchange: PreMasterSecret, encrypted with the server’s public key
ClientHello
ServerHello,. . .
ClientHello
ServerHello,. . .
ClientHello
ServerHello,. . .
. . . ,Finished
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
ClientHello
ServerHello,. . .
. . . ,Finished
• SSL 1.0 (no public release), 2.0 (1995), 3.0 (1996), originally by
Netscape
• TLS 1.0 (1999), changes that improve security, among other things
how random numbers are chosen
• Sensitive to CBC vulnerability discovered 2002,
demonstrated by BEAST attack 2011
• Current problem: TLS 1.0 is fallback if either end does not
support higher versions
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
ClientHello
ServerHello,. . .
. . . ,Finished
ClientHello, ClientKey
ServerHello,. . .
Client Server
. . . ,Finished
y 2 = x 3 + ax 2 + bx + c
• These solutions are not ellipses, the name elliptic is used for
historical reasons and has do to with the integrals used when
calculating arc length in ellipses:
Z b
dx
√
a x3 + ax 2 + bx + c
Elliptic curves
x x
E E
Elliptic curves
x x
E E
Elliptic curves
x x
E E
Elliptic curves
E = {(x, y ) : y 2 = x 3 + bx + c}
y
E
Elliptic curves
E = {(x, y ) : y 2 = x 3 + bx + c}
y
E
Addition on elliptic curves
E
Addition on elliptic curves
E
Addition on elliptic curves
E
Addition on elliptic curves
E = {(x, y ) : y 2 = x 3 + bx + c},
E
Multiplication on elliptic curves
E
Multiplication on elliptic curves
E
Discrete elliptic curves
y
x3 − x + 1
E
Discrete elliptic curves
• Example:
E = {(x, y ) : y 2 = x 3 + 4x + 4 mod 5}
The points in E are
x = 0 gives y 2 = 4 so that y = 2 or y = 3
x = 1 gives y 2 = 9 = 4 so that y = 2 or y = 3
x = 2 gives y 2 = 20 = 0 so that y = 0
x = 3 gives y 2 = 43 = 3, no square root
x = 4 gives y 2 = 84 = 4 so that y = 2 or y = 3
x = ∞ gives y = ∞
Discrete elliptic curves
• Example:
E = {(x, y ) : y 2 = x 3 + 4x + 4 mod 5}
The points in E are
(∞, ∞)
y
x
Elliptic curves
E = {(x, y ) : y 2 = x 3 + bx + c},
E = {(x, y ) : y 2 = x 3 + bx + c},
B = kA = A + A + ... + A
• This might seem different, but is the equivalent problem. The only
difference is the group operation name (“multiplication or
“addition”)
Discrete Logarithms on elliptic curves
• The discrete logarithm for elliptic curves: given two points A and B
on an elliptic curve, find k so that
B = kA = A + A + ... + A
• There is an analog for the Polig-Hellman algorithm.
This works well when the smallest integer n such that
nA = ∞ has only small factors
Discrete Logarithms on elliptic curves
• The discrete logarithm for elliptic curves: given two points A and B
on an elliptic curve, find k so that
B = kA = A + A + ... + A
• There is an analog for the Polig-Hellman algorithm
• The discrete logarithm for elliptic curves: given two points A and B
on an elliptic curve, find k so that
B = kA = A + A + ... + A
• There is an analog for the Polig-Hellman algorithm
• The public key is the values of p, α, and β, while the secret key is
the value a
• The public key is E and the values of p, α, and β, while the secret
key is the value a
b(aα) = a(bα)
• The public key is the values of p, α, and β, while the secret key is
the value a
r = αk mod p
s = k −1 (m − ar ) mod (p − 1)
= rx (aα) + mα − arx α = mα
Trapdoor one-way functions
A trapdoor one-way function is a function that is easy to compute but
computationally hard to reverse
• Easy to calculate f (x) from x
• Hard to invert: to calculate x from f (x)
A trapdoor one-way function has one more property, that with certain
knowledge it is easy to invert, to calculate x from f (x)
There is no proof that trapdoor one-way functions exist, or even real
evidence that they can be constructed. Examples:
• RSA (factoring)
• Knapsack (NP-complete but insecure with trapdoor)
• Diffie-Hellman + ElGamal (discrete log)
• EC Diffie-Hellman + EC ElGamal (EC discrete log)